A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective...

36
HAL Id: inria-00432810 https://hal.inria.fr/inria-00432810v2 Submitted on 24 Jan 2012 HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés. A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem Nicolas Magaud, Julien Narboux, Pascal Schreck To cite this version: Nicolas Magaud, Julien Narboux, Pascal Schreck. A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem. Computational Geometry, Elsevier, 2012, Special Issue on geometric reasoning, 45 (8), pp.406-424. 10.1016/j.comgeo.2010.06.004. inria-00432810v2

Transcript of A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective...

Page 1: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

HAL Id: inria-00432810https://hal.inria.fr/inria-00432810v2

Submitted on 24 Jan 2012

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

A Case Study in Formalizing Projective Geometry inCoq: Desargues Theorem

Nicolas Magaud, Julien Narboux, Pascal Schreck

To cite this version:Nicolas Magaud, Julien Narboux, Pascal Schreck. A Case Study in Formalizing Projective Geometryin Coq: Desargues Theorem. Computational Geometry, Elsevier, 2012, Special Issue on geometricreasoning, 45 (8), pp.406-424. �10.1016/j.comgeo.2010.06.004�. �inria-00432810v2�

Page 2: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

A Case Study in Formalizing Projective Geometry in

Coq: Desargues Theorem∗

Nicolas Magaud, Julien Narboux, Pascal Schreck

Universite de Strasbourg - Laboratoire des Sciences de l’Image,de l’Informatique et de la Teledetection (LSIIT, UMR 7005 CNRS-UDS)Pole API, Boulevard Sebastien Brant, BP 10413, 67412 Illkirch, France

{magaud,narboux,schreck}@lsiit-cnrs.unistra.fr

Abstract

Formalizing geometry theorems in a proof assistant like Coq is challeng-ing. As emphasized in the literature, the non-degeneracy conditions lead tolong technical proofs. In addition, when considering higher-dimensions, theamount of incidence relations (e.g. point-line, point-plane, line-plane) inducenumerous technical lemmas. In this article, we investigate formalizing projec-tive plane geometry as well as projective space geometry. We mainly focus onone of the fundamental properties of the projective space, namely Desarguesproperty. We formally prove that it is independent of projective plane geom-etry axioms but can be derived from Pappus property in a two-dimensionalsetting. Regarding at least three dimensional projective geometry, we presentan original approach based on the notion of rank which allows to describeincidence and non-incidence relations such as equality, collinearity and copla-narity homogeneously. This approach allows to carry out proofs in a moresystematic way and was successfully used to fairly easily formalize Desarguestheorem in Coq. This illustrates the power and efficiency of our approach(using only ranks) to prove properties of the projective space.

Key words: formalization, Desargues, rank, projective geometry, Coq,Hessenberg theorem, Hexamys

∗This work is partially supported by the ANR project Galapagos

Preprint submitted to Computational Geometry Theory and Applications April 27, 2010

Page 3: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

1. Introduction

This article deals with formalizing projective geometry in the Coq proofassistant [1, 7] and studies Desargues property both in the plane and in anat least three dimensional setting (noted ≥ 3-dimensional). In the plane,proofs are constructed in a traditional way using points and lines. However,in a ≥3-dimensional space, we use the concept of rank to formally proveDesargues theorem (in Coq). In the longer term, the underlying objectiveof the presented work consists in designing a formal geometry prover able tohandle the non-degeneracy conditions, and especially in geometric constraintsolving [14, 16].

We choose to focus on projective geometry which is a simple but powerfulenough setting to express arbitrarily complex problems as shown in [20].Moreover, in 3D (or higher), proofs become much more difficult than in2D: first, Desargues property becomes a theorem and consequently all theprojective spaces arise from a division ring; second incidence geometry has todeal not only with points and lines, but also with planes or, more generally,flats; third there is a combinatorial explosion of cases.

For projective plane geometry, we use a traditional approach dealing withpoints, lines and an incidence relation to formally prove the independence ofDesargues property. We then formalize Pappus property as well as hexamysin order to prove Hessenberg theorem, which states that Pappus propertyentails Desargues property in projective plane geometry.

When it comes to ≥3-dimensional projective geometry , we propose toreuse the concept of rank. We aim at showing that this mathematical conceptis well-suited to formalize the foundations of incidence geometry in a proofassistant. Ranks provide a generic way to describe incidence relations andit allows us to express non-degeneracy conditions nicely. Informally, ranksallow to distinguish between equal/non-equal points, collinear/non-collinearpoints, coplanar/non-coplanar points, etc. We validate this approach bysucessfully carrying out a mechanized proof (using only ranks) of Desarguestheorem which is one of the fundamental theorems of the projective space.

We mechanize the proofs using the Coq proof assistant which implementsa higher order intuitionistic logic based on type theory. In such a proof as-sistant, every step of reasoning is proposed by the user (in the form of atactic) but then checked by the system. It dramatically increases the relia-bility of the proofs compared to paper-and-pencil proofs. In addition, duringthe development process, the ability to change the axiom system easily is

2

Page 4: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

very convenient. Proofs can be automatically rechecked by the system andchanges only require minor rewriting of the proofs. However, formal proofstend to be more technical to write, not leaving out a single piece of details.

Therefore, in our development, we had to design some efficient prooftechniques to deal with points and lines in the plane as well as with matroıdand rank properties when the dimension n of the considered space is greaterthan 2. In addition, we believe a full scale automation is out of scope, butmany small-scale simple automated tactics make writing formal proofs inCoq more tractable.

Related work Proof assistants have already been used in the context ofgeometry. Numerous papers have emphasized the importance of the problemof degenerate cases in formal geometry [9, 13, 19, 24]. Brandt and Schnei-der studied how to handle degenerate cases for the orientation predicatesin computational geometry using three valued logic [3]. Bezem and Hen-dricks formalized Hessenberg’s theorem in Coq [2]. Guilhot has formalizedin Coq a proof of Desargues theorem in affine geometry [13]. Narboux hasformalized in Coq the area method of Chou, Gao and Zhang [6, 15, 23] andapplied it to obtain a proof of Desargues theorem in affine geometry. Kusakhas formalized in Mizar Desargues theorem in the Fanoian projective ≥3-dimensional space [17]. The assumption that the space is Fanoian makes thetheorem more specialized than ours. We also carried out some preliminarywork on formalizing projective plane geometry in Coq [18]. Finally, the ideaof proving projective space theorems with ranks is suggested by Michelucciand Schreck in [21].

Outline of the paper The paper is organized as follows. In section 2, wepresent the axioms for projective geometry and we give an overview of ourCoq formalization. In section 3, we explain Desargues property and why itis a fundamental property of projective geometry. Section 4 investigates therole of Desargues property in the case of the generic 2D projective plane andits links with Pappus property through the notion of Hexamys. Section 5introduces ranks and the associated axiom system for projective space geom-etry, which is then used to formally prove in Coq that Desargues propertyholds in ≥3-dimensional projective space.

2. Axiom Systems of Projective Geometry

Projective geometry is a general setting in the hierarchy of geometrieswhich assumes that two lines in a plane always meet [4, 8]. We first assume

3

Page 5: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

that we have two kinds of objects (points and lines). Planes are not basicobjects in this axiom system, but are defined within the theory. We thenconsider a relation (∈) between elements of these two sets.

2.1. Axiom System for Projective Plane Geometry

The axiom system for projective plane geometry consists of very fewaxioms linking abstact points and lines of a plane. Informally, these axiomscapture the facts that two different points define one line and two differentlines define one point. Moreover, each line contains at least three points andthere are at least two lines in the plane. Formally, we have the following fiveaxioms:

Line-Existence ∀A B : Point, ∃l : Line, A ∈ l ∧ B ∈ l

Point-Existence ∀l m : Line, ∃A : Point, A ∈ l ∧ A ∈ m

Uniqueness ∀A B : Point, ∀l m : Line,A ∈ l ∧ B ∈ l ∧ A ∈ m ∧ B ∈ m ⇒ A = B ∨ l = m

Three-Points ∀l : Line, ∃ABC : Point,A 6= B ∧ B 6= C ∧ A 6= C ∧ A ∈ l ∧ B ∈ l ∧ C ∈ l

Lower-Dimension-2 ∃l : Line, ∃m : Line, l 6= m

The axiom Lower-Dimension-2 prevents a single line from being amodel, i.e. it ensures we actually describe a two dimensional projectivespace.

2.2. Axiom System for Projective Space Geometry

Several axioms remains the same when we consider an ≥3-dimensionalspace. The required axioms for projective ≥3-dimensional space are listedbelow:

Line-Existence ∀A B : Point, ∃l : Line, A ∈ l ∧ B ∈ l

Pasch

∀A B C D : Point, ∀lAB lCD lAC lBD : Line,A 6=B ∧ A 6=C ∧ A 6=D ∧ B 6=C ∧ B 6=D ∧ C 6=D∧A ∈ lAB ∧ B ∈ lAB ∧ C ∈ lCD ∧ D ∈ lCD∧A ∈ lAC ∧ C ∈ lAC ∧ B ∈ lBD ∧ D ∈ lBD∧(∃I : Point, I ∈ lAB ∧ I ∈ lCD) ⇒(∃J : Point, J ∈ lAC ∧ J ∈ lBD)

4

Page 6: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

bA

b

B

bC

b

D

b

I

b J

Figure 1: Pasch’s axiom

Uniqueness ∀A B : Point, ∀l m : Line,A ∈ l ∧ B ∈ l ∧ A ∈ m ∧ B ∈ m ⇒ A = B ∨ l = m

Three-Points ∀l : Line, ∃ABC : Point,A 6= B ∧ B 6= C ∧ A 6= C ∧ A ∈ l ∧ B ∈ l ∧ C ∈ l

Lower-Dimension-3 ∃l m : Line, ∀p : Point, p 6∈ l ∨ p 6∈ m

The Point-Existence axiom is replaced by Pasch axiom. Indeed weneed to ensure that two lines always meet only if co-planar. Axiom Lower-Dimension-3 ensures that there exists two lines which do not meet.

2.3. Formalization in Coq

Implementing both axiom systems in the Coq proof assistant is straight-forward. Figure 2 presents the formalization of the projective space in Coq.We denote the predicate ∈ using Incid. To enhance modularity we makeuse of the module system of Coq.

The main difference between the formalization and the axiom systemshown above relies on the fact that we need to be carefull about the equalityrelations and decidability issues. In addition, the equality on points (notedDecPoints.eq) and lines (noted line_eq) are parameters of our theory. Asthe underlying logic of the Coq system is intuitionistic, we have to stateexplicitly which predicates are assumed to be decidable. We assume that wehave a set of points with a decidable equality : DecPoints is a instance of aDecidableType:

5

Page 7: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Module Type ProjectiveSpaceOrHigher (DecPoints: DecidableType).

Definition Point := DecPoints.t.

Parameter Line : Type.

Parameter line_eq : Line -> Line -> Prop.

Axiom line_eq_sym : forall l m, line_eq l m -> line_eq m l.

Axiom line_eq_trans : forall l m n,

line_eq l m -> line_eq m n -> line_eq l n.

Axiom line_eq_refl : forall l, line_eq l l.

Parameter Incid : Point -> Line -> Prop.

Axiom incid_dec : forall (A:Point)(l:Line),{Incid A l}+{~Incid A l}.

Axiom line_existence : forall A B : Point,

{l : Line | Incid A l /\ Incid B l}.

Axiom pasch : forall A B C D:Point, forall lAB lCD lAC lBD :Line,

dist4 A B C D ->

Incid A lAB/\Incid B lAB -> Incid C lCD/\Incid D lCD ->

Incid A lAC/\Incid C lAC -> Incid B lBD/\Incid D lBD ->

(exists I:Point, (Incid I lAB /\ Incid I lCD)) ->

exists J:Point, (Incid J lAC /\ Incid J lBD).

Axiom uniqueness : forall (A B :Point)(l1 l2:Line),

Incid A l1 -> Incid B l1 -> Incid A l2 -> Incid B l2 ->

DecPoints.eq A B \/ line_eq l1 l2.

Axiom three_points :

forall l:Line,exists A:Point, exists B:Point, exists C:Point,

dist3 A B C /\ Incid A l /\ Incid B l /\ Incid C l.

Axiom lower_dimension_3 : exists l:Line, exists m:Line,

forall p:Point, ~Incid p l \/ ~Incid p m.

End ProjectiveSpaceOrHigher.

Figure 2: Projective Space Axiom System in Coq

6

Page 8: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Module Type DecidableType.

Parameter t : Set.

Parameter eq : t -> t -> Prop.

Axiom eq_refl : forall x : t, eq x x.

Axiom eq_sym : forall x y : t, eq x y -> eq y x.

Axiom eq_trans : forall x y z : t,

eq x y -> eq y z -> eq x z.

Parameter eq_dec : forall x y : t,

{ eq x y } + { ~ eq x y }.

End DecidableType.

The notation {eq x y}+{~ eq x y} means that we must know construc-tively that either x = y or x 6= y. As expressed by the axiom incid_dec

we also assume the decidability of incidence. In Coq syntax /\, \/ and ~

stands respectively for logic conjunction, disjunction and negation. The no-tation {l : Line | Incid A l /\ Incid B l} expresses that there existsa line l going through A and B.

3. Desargues Property

Desargues property is among the most fundamental properties of projec-tive geometry, since in the projective space Desargues property becomes atheorem. Let’s first recall Desargues statement in projective geometry. De-sargues property states that:

Let E be a projective space and A,B,C,A′,B′,C ′ be points in E, if the

three lines joining the corresponding vertices of triangles ABC and A′B′C ′

all meet in a point O, then the three intersections of pairs of corresponding

sides α, β and γ lie on a line.

7

Page 9: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

bA

b

B

b

C

b O

b

C’

b

A’

b

B’

b

b

b

β

γ

α

If E is of dimension two, Desargues property is independent from allthe projective plane geometry axioms. If E is at least of dimension three,Desargues property is a theorem.

Even though it can be expressed, it is not provable when E is a plane.Indeed in the 2D case, some projective planes are Desarguesian, for instanceFano’s plane, while other planes are not, for instance Moulton plane. Thenext section investigates the role of Desargues property in projective planes.

4. Desargues Property in the Projective Plane

Projective Plane Geometry as defined above is incomplete. Indeed, De-sargues statement does not hold in every model. We show on the one hand,that Desargues property is consistent with the axioms of projective geometryand, on the other hand, that it is independent of them. First we formalizea proof that it is true in a particular model of projective plane geometry(Fano’s plane) and then a proof that in another particular model (Moulton’splane) it is false. This shows the independence of Desargues theorem fromthe axioms of projective plane geometry, which can be regarded as the start-ing point of non-desarguesian geometry [5]. Finally we formalize the proofof Hessenberg’s theorem which demonstrates that in every projective planein which Pappus property holds, Desargues property holds as well.

4.1. Consistency of Desargues Property with Axioms for Projective PlaneGeometry

Fano’s plane is the model of projective plane geometry with the leastnumber of points and lines: 7 each. The incidence relation is illustrated by

8

Page 10: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

bA

bB

b

bG

b E

b

F

bDbC

Figure 3: Fano’s plane

the figure. In the figure, points are simply represented by points, whereaslines are represented by six segments and a circle (DEF ). One can verifythat the axioms of projective plane geometry (see Section 2.1) hold as shownin [18].

At first sight, proving Desargues property in Fano’s plane seems to bestraightforward to achieve by case analysis on the 7 points and 7 lines. How-ever, this requires handling numerous cases2 including many configurationswhich contradict the hypotheses.

To formalize the property, we make use of two kinds of symmetries: asymmetry of the theory and a symmetry of the statement.

Symmetry of the statement

We first study the special case desargues_from_A_specialized wherethe point O of Desargues configuration corresponds to A, and the line OAcorresponds to ADG, OB to CAE and OC to ABF .The predicate on line A B C l states that the three points A, B and C lieon the line l.

Lemma Desargues_from_A_specialized :

forall P Q R P’ Q’ R’ alpha beta gamma

lPQ lPR lQR lP’Q’ lP’R’ lQ’R’,

((on_line P Q gamma lPQ) /\ (on_line P’ Q’ gamma lP’Q’)) /\

((on_line P R beta lPR) /\ (on_line P’ R’ beta lP’R’)) /\

((on_line Q R alpha lQR) /\ (on_line Q’ R’ alpha lQ’R’)) /\

((on_line A P P’ ADG) /\

(on_line A Q Q’ CAE) /\

2The most naıve approach would consider 77 cases and even with careful analysis itremains untractable to prove all the cases without considering symmetries.

9

Page 11: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

(on_line A R R’ ABF)) /\

~collinear A P Q /\ ~collinear A P R /\ ~collinear A Q R /\

~collinear P Q R /\ ~collinear P’ Q’ R’ /\

((P<>P’)\/(Q<>Q’)\/(R<>R’)) ->

collinear alpha beta gamma.

Then as Desargues statement is symmetric by permutation of the threelines which intersect in O, we can formalize a proof of slightly more generallemma desargues_from_A where the point O of Desargues configurationstill corresponds to A but the three lines (lP,lQ and lR) intersecting in Oare universally quantified.

Lemma Desargues_from_A :

forall P Q R P’ Q’ R’ alpha beta gamma lP lQ lR

lPQ lPR lQR lP’Q’ lP’R’ lQ’R’,

((on_line P Q gamma lPQ) /\ (on_line P’ Q’ gamma lP’Q’)) /\

((on_line P R beta lPR) /\ (on_line P’ R’ beta lP’R’)) /\

((on_line Q R alpha lQR) /\ (on_line Q’ R’ alpha lQ’R’)) /\

((on_line A P P’ lP) /\

(on_line A Q Q’ lQ) /\

(on_line A R R’ lR)) /\

~collinear A P Q /\ ~collinear A P R /\ ~collinear A Q R /\

~collinear P Q R /\ ~collinear P’ Q’ R’ /\

((P<>P’)\/(Q<>Q’)\/(R<>R’)) ->

collinear alpha beta gamma.

Symmetry of the theory

The theory of Fano’s plane is invariant by permutation of points. It meansthat, even if it is not obvious from Figure 3, all the points plays the samerole: if (A, B, C, D, E, F, G) is a Fano’s plane then (B, C, D, F, E, G, A) isone as well. We formalize this by building a functor from Fano’s theory toitself which permutes the points (Figure 4).

Using this functor and desargues_from_A, we show that Desargues prop-erty holds for any choice for O among the 7 points of the plane. Intuitively,this functor shows that the problem is symmetric and hence that the proofcan assume without loss of generality that O = A.

10

Page 12: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Module swapf3 (M:fano_plane) : fano_plane

with [...]

Definition Point:=M.Point.

Definition A:=M.B. Definition B:=M.E.

Definition C:=M.D. Definition D:=M.F.

Definition E:=M.C. Definition F:=M.G.

Definition G:=M.A.

[...]

Definition ABF:=M.BEG. Definition BCD:=M.DEF.

Definition CAE:=M.BCD. Definition ADG:=M.ABF.

Definition BEG:=M.CAE. Definition CFG:=M.ADG.

Definition DEF:=M.CFG.

[...]

End swapf3.

Figure 4: A functor showing an invariance property of Fano’s plane.

11

Page 13: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

4.2. Independence of Desargues Property from the Axioms for ProjectivePlane Geometry

We now consider a particular model of projective plane geometry, namelyMoulton plane and show that Desargues property does not hold in this model.

4.2.1. Moulton plane and its projective counterpart

Moulton plane [22] is an affine plane in which lines with a negative slopeare bent (i.e. the slope is doubled) when they cross the y-axis. It can beeasily extended into a projective plane.

Moulton plane is an incidence structure which consists in a set of pointsP , a set of lines L, and an incidence relation between elements of P andelements of L. Points are represented by couples (x, y) ∈ R

2. Lines arerepresented by couples (m, b) ∈ (R ∪∞) × R (where m is the slope - ∞ forvertical lines - and b the y-intercept). The incidence relation is defined asfollows:

(x, y) ∈ (m, b) ⇐⇒

x = b if m = ∞

y = mx + b if m ≥ 0

y = mx + b if m ≤ 0, x ≤ 0

y = 2mx + b if m ≤ 0, x ≥ 0.

This incidence structure verifies the properties of an affine plane. It canbe turned into a projective plane through the following process.

• We extend P with points at the infinite (one direction point for eachpossible slope, including the vertical one); therefore P is (R×R)∪ (R∪∞).

• We extend the set L of affine lines with a new one which connects allpoints at the infinite; therefore L is ((R ∪∞) × R) ∪∞.

• We finally extend the incidence relation in order to have all direction

points and only them incident to the infinite line. We also extend eachaffine line with a direction point (the one bearing its slope).

This construction leads to a projective plane. The whole process is formallydescribed in Coq and we formalize in Coq (see [18] for details) that all theaxioms of projective plane geometry presented in section 2.1 hold. Mostproofs on real numbers rely on using Grobner basis computation in Coq [12].

12

Page 14: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

4.2.2. A counter-model for Desargues Property

We build a special configuration of Desargues for which the property doesnot hold. This can be achieved in an algebraic way using only coordinatesand equations for lines. We first present it that way and then show whyDesargues property does not hold for our configuration.

Let’s consider seven points: O(−4, 12), A(−8, 8), B(−5, 8), C(−4, 6),A′(−14, 2), B′(−7, 0) and C ′(−4, 3). We then build the points α(−3, 4),β(6/11, 38/11) and γ(−35, 8) which are respectively at the intersection of(BC) and (B′C ′), (AC) and (A′C ′) and (AB) and (A′B′). Then we cancheck using automated procedures performing symbolic computation on realnumbers (especially the fourier tactic [7]) that there exists no line in Moultonplane which is incident to these 3 points α, β and γ. The intuitive idea ofthis counter-example is to build a configuration where:

• all points except β are in the left hand side plane and

• the lines (AC) and (A′C ′) which define β have slopes of opposite signs.

Overall Desargues property does not hold in this configuration becauseonly some of the lines are bent. Especially, of the two lines used to build β,one of them is a straight line (A′C ′) and the other one (AC) is bent. Thatis what prevents the three points α, β and γ from being on the same line.

Proofs of these lemmas illustrate how combining automated and interac-tive theorem proving can be successful.

4.3. Hessenberg’s Theorem: Pappus Property Implies Desargues Property

In this section, we describe our formalization of Hessenberg’s theoremstating that Pappus axiom implies that Desargues property holds in theprojective plane. The proof we formalize use the concept of hexamys (mystichexagrams as named by Pascal) and popularized by [25]. We formalized theproof given in [21] and extend it to deal with some degenerate cases.

First, we need to state the Pappus property.

4.3.1. Pappus Property

We say that a plane enjoys Pappus property when:

Definition pappus_weak :=

forall A B C A’ B’ C’ P Q R,

Col A B C -> Col A’ B’ C’ ->

13

Page 15: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

b b

b

b

b

b

b

b

b

bA B

C

A’

B’

C’

O

α

γ

β

b b

b

b

b

b

b

b

b

b

β

Figure 5: Counter example to Desargues theorem in Moulton plane

b

A

b

B

b

C

b

A’

b

B’

b

C’

bPb

Qb R

Figure 6: Pappus configuration

14

Page 16: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

all_distinct_6 A B C A’ B’ C’ ->

is_on_proper_inter P A B’ A’ B ->

is_on_proper_inter Q B C’ B’ C ->

is_on_proper_inter R A C’ A’ C ->

Col P Q R.

The property is_on_proper_inter P A B’ A’ B means that the linesAB′ and A′B are well defined and not parallel and P is at the intersection.This definition of Pappus configuration assumes that the six points are dis-tinct and that the intersections are all well defined. This also implies thatthe lines AB and A′B′ are distinct. This definition captures a general con-figuration as shown in Figure 6 without any particular case. But, in fieldof formal proofs, we must be careful about degenerate cases. Fortunately inthe context of projective geometry, the weak version of Pappus property asstated above is also equivalent to this stronger version which assumes thateither all the intersections are well defined or the six points (A,B,C,A′,B′,C ′)are distinct:

Definition pappus_strong :=

forall A B C A’ B’ C’ P Q R,

(all_distinct_6 A B C A’ B’ C’ \/

(line A B’ <> line A’ B /\ A<>B’ /\ A’<>B /\

line B C’ <> line B’ C /\ B<>C’ /\ B’<>C /\

line A C’ <> line A’ C /\ A<>C’ /\ A’<>C) ) ->

Col A B C -> Col A’ B’ C’ ->

is_on_inter P A B’ A’ B ->

is_on_inter Q B C’ B’ C ->

is_on_inter R A C’ A’ C ->

Col P Q R.

4.3.2. Mystic hexagram

We say that a hexagon is a hexamy if the three intersections of the op-posite sides of the hexagon are collinear.

Definition is_hexamy A B C D E F :=

all_distinct_6 A B C D E F /\

let P:= inter (line B C) (line E F) in

let Q:= inter (line C D) (line F A) in

let R:= inter (line A B) (line D E) in

Col P Q R.

15

Page 17: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

It is easy to show that every circular permutation of a hexamy is also ahexamy.

Lemma hexamy_rot_left : forall A B C D E F,

is_hexamy A B C D E F -> is_hexamy B C D E F A.

We say that a plane enjoys the hexamy property if every permutationof a hexamy is also a hexamy. As circular permuations of hexamys arehexamys, we just need to assume that if (A, B, C, D, E, F ) is a hexamy, then(B, A, C, D, E, F ) is also a hexamy:

Definition hexamy_prop := forall A B C D E F,

is_hexamy A B C D E F -> is_hexamy B A C D E F.

We can show that the hexamy property and Pappus property are equiv-alent.

Lemma 1. Pappus property implies hexamy property.

Proof. Assuming Pappus property, we need to show that if (A, B, C, D, E, F )is a hexamy so is (B, A, C, D, E, F ). Let U ,V and W be the intersectionsof AB and DE, AC and EF , and CD and BF respectively. We need toshow that U , V and W are collinear. Let a, b and c be the intersections ofBC and EF , CD and FA, and AB and DE respectively (we have c = U).As (A, B, C, D, E, F ) is a hexamy, a, b and c are collinear. Let b′ be theintersection of EF and AC (we have b′ = V ). We note a′ ≡ A and c′ ≡ C.a′, b′ and c′ are collinear because b′ is on line AC. Using Pappus prop-erty, it holds that ab′ ∩ a′b, ac′ ∩ a′c and bc′ ∩ b′c are collinear. We haveab′∩a′b = F since a′b = AF and ab′ = EF . Similarly, we have ac′∩a′c = B.Hence the third point bc′ ∩ b′c is on BF . Hence, as bc′ = CD, we havebc′ ∩ b′c = CD ∩ BF = W . The last equality says that W ∈ b′c but sinceb′ = V and c = U , the collinearity of U, V and W holds.

Lemma 2. Hexamy property implies Pappus property.

Proof. When (A,B,C,A′,B′,C ′) is a Pappus configuration, it is easy to showthat it is also a hexamy because the intersections of AB∩A′B′ and BC∩B′C ′

are equal since the points A,B and C and A′, B′ and C ′ are collinear. Usingthe hexamy property we can show that (A,B′,C,A′,B,C ′) is also a hexamy.Hence the Pappus property holds.

16

Page 18: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

b

C = c’

a

D

Bb’=V

c = U

W

F

E

A = a’

Figure 7: Pappus property implies hexamy property

4.3.3. Hessenberg theorem

Lemma 3. Hexamy property implies Desargues property

Proof. Recall that A′B′C ′ is a Cevian triangle of ABC if A′ ∈ BC, B′ ∈AC, C ′ ∈ AB and the lines AA′, BB′ and CC ′ are concurrent. We distinguishtwo cases, either A′B′C ′ is a Cevian triangle of ABC or not.

bA

b

B

b

C

b O

b

C’

b

A’

b

B’

b

b

P

Q

b

b

b

β

γ

α

17

Page 19: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

First, we assume that A′B′C ′ is not a Cevian triangle of ABC. By hy-pothesis, points O, A and A′ are collinear. Similarly, O, B and B′ arecollinear and O, C, C ′ are collinear. We want to prove that α, β and γare collinear, where α = BC ∩ B′C ′, β = AC ∩ A′C ′ and γ = AB ∩ A′B′.The auxiliary points: P = A′B′ ∩ BC, Q = AB ∩ B′C ′ are needed. Now(A, A′, P, C, C ′, Q) is a hexamy since its three opposite sides cut respec-tively in points O, B′ and B which are collinear by hypothesis. Thus(A, Q, C ′, A′, P, C) is a hexamy as well, the opposite sides cut respectively inα, β and γ, hence they are collinear.

b

b b

A

B C

bO

b

b

C’

A’

b

B’

b

b

b

b

IL

N

M

b

b

b

β

γ

α = α1 = α2

Second, we assume that A′B′C ′ is a Cevian triangle of ABC. We have toprove that α, β and γ are collinear where α = BC∩B′C ′, β = AC∩A′C ′ andγ = AB ∩ A′B′. We introduce α1 = βγ ∩ BC and α2 = βγ ∩ B′C ′: now wehave to prove that α1 = α2. Auxiliary intersection points are I = OB ∩ βγ,L = A′C ′ ∩ AI, N = AB ∩ LB′ and M = AL ∩ CC ′ (it can be shown thatthese points are well defined). The end of the proof implicitely assumes thatL 6= A′. If L = A′ we construct a proof similar to this one but using apermutation of the statement, if L = B′ we permute again the statement, itcan not be the case that L = A′ = B′ = C ′.Since points L, N and B′ are collinear, (A′, L, B′, I, A, γ) is a hexamy, sois (A′, A, γ, I, B′, L), and hence O, N and β are collinear. With the sec-ond hexamys, (C, B, A, O, I, β) which gives by permutation (C, O, β, I, A, B),we prove that α1, M and N are collinear. A third hexamys is used toprove that α2, M and N are collinear: this is (C ′, B′, β, O, I, L) giving

18

Page 20: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

(C ′, O, β, I, L, B′). Thus the lines MN and βγ have two points in common:α1 and α2. From the uniqueness axiom, it holds that :

• either the lines are equal but then the configuration degenerates andall points belong to the same line;

• or α1 = α2 and therefore α, β and γ are collinear.

Corollary 1 (Hessenberg). Pappus property implies Desargues property

Proof. Immediate using lemmas 1 and 3.

The formal proofs corresponding to the theorems described in this sectionstill heavily require user-interaction and lack automation. The amount ofcase distinctions required in formal proofs makes them difficult to handle.

4.4. Dealing with Non-degeneracy Conditions: Using Tactics

In this section, we describe a tactic whose implementation is simple butwhich is still powerfull enough to shorten the proofs about degenerate cases.When we know that two points are equal, we can propagate this knowledge.The tactic performs repeated applications of the uniqueness axiom. It pro-ceeds by searching for pattern matching the hypotheses of the two followinglemmas which are easy consequences of the uniqueness axiom.

A ∈ l ∧ B ∈ lA ∈ m ∧ B ∈ m

∧ A 6= B ⇒ l = m

A ∈ l ∧ B ∈ lA ∈ m ∧ B ∈ m

∧ l 6= m ⇒ A = B

It is implemented using Coq tactic language as follows:

Ltac apply_unicity := match goal with

H1: ?A <> ?B,

H2: ?Incid ?A ?l, H3: ?Incid ?B ?l,

H4: ?Incid ?A ?m, H5: ?Incid ?B ?m |- _ =>

let id:= fresh in assert (id: l=m);

try apply (uniq.a1_unique A B l m H1 H2 H3 H4 H5);

subst l

| H1: ?l <> ?m,

H2: ?Incid ?A ?l, H3: ?Incid ?A ?m,

19

Page 21: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

H4: ?Incid ?B ?l, H5: ?Incid ?B ?m |- _ =>

let id:= fresh in assert (id: A=B);

try apply (uniq.a2_unique l m A B H1 H2 H3 H4 H5);

subst A

end.

Ltac collapse := progress (repeat (apply_unicity;

CleanDuplicatedHyps)).

For example, if we know that A, B, C, A′, B′ and C ′ are all distinct andthat they form a Pappus configuration and that the line A′B is equal to theline AB′ then our collapse tactic infers automatically that the lines AB,AB′, A′C, AB′, BC ′, AC ′, B′C are all equal. This allows to conclude easilythat Pappus theorem holds trivially in this special case (when line A′B isequal to line AB′).

5. Desargues Property in Projective Space

In this section, we switch from projective plane geometry to projectivespace geometry. In 2D, a single fact can have numerous representations (e.g.A ∈ BC vs. A ∈ l ∧ B ∈ l ∧ C ∈ l). In 3D and more, it is even worsebecause the language contains points, lines and planes and all the associatedincidence relations. In section 2.2, we presented the standard axiom systemfor projective space geometry as a reference. But to ease the formalizationin Coq, we propose an alternative axiom system based on the notion ofrank. Indeed, ranks allow to deal only with points which makes proofs easierin a three dimensionnal setting because we do not handle lines and planesexplicitly. This provides a homogeneous description language independent ofthe dimension and will make proving Desargues property in a ≥3-dimensionalsetting much easier.

5.1. Ranks

The concept of rank is a general notion of matroid theory. An integerfunction rk on E is the rank function of a matroid if and only if the followingconditions are satisfied:

R1 ∀X⊆E, 0≤rk(X)≤|X| (nonnegative and subcardinal)

R2 ∀X Y ⊆E, X ⊆ Y ⇒ rk(X) ≤ rk(Y ) (nondecreasing)

20

Page 22: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

R3 ∀X Y ⊆E, rk(X ∪ Y ) + rk(X ∩ Y ) ≤ rk(X) + rk(Y ) (submodular)

In projective geometry, we can define a rank function on sets of points whichverify the axioms above: a flat being a set of points closed by the collinear-ity relation, the rank of a set of points X is the cardinal of a smallest setgenerating X (see Figure 8 for some examples).

rk{A, B} = 1 A = Brk{A, B} = 2 A 6= Brk{A, B, C} = 2 A, B, C are collinear

with at least two of them distinctrk{A, B, C} ≤ 2 A, B, C are collinearrk{A, B, C} = 3 A, B, C are not collinearrk{A, B, C, D} = 3 A, B, C, D are co-planar,

not all collinearrk{A, B, C, D} = 4 A, B, C, D are not co-planarrk{A, B, C, D, E} ≤ 2 A, B, C, D, E are all collinear

Figure 8: Rank statements and their geometric interpretations

Using this definition, one can show that every projective space has amatroid structure, but the converse is not true. In the next section, weintroduce additional axioms to capture 3D or higher projective geometry. Weshall start by introducing some lemmas about ranks to simplify the proofs.

Proof techniques using ranks. In this section we describe two proof techniquesthat are simple but important to simplify formal proofs.

First, all equalities about ranks (say rk(a) = rk(b)) are usually provedin two steps: first showing that rk(a) ≤ rk(b) and then that rk(a) ≥rk(b). Consequently, when stating a lemma, it is worth being cautious aboutwhether the actual equality is required or if one of the two inequalities isenough to go on with the proofs. This approach allows to avoid numeroustechnical lemmas when carrying out the formal proofs in Coq.

Second, in the proving process, we make often use of axiom R3. Forinstance, if we need to prove a statement like:

rk{A, B, C, D, I} + rk{I} ≤ rk{A, B, I} + rk{C, D, I}

we could be tempted to instantiate axiom R3 with X := {A, B, I} and Y :={C, D, I}. But unfortunately, this statement is not a direct consequence of

21

Page 23: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

axiom R3. For instance A may be equal to C and consequently {A, B, I} ∩{C, D, I} = {A, I}. Determining the intersection of two finite sets of pointsrequires to distinguish cases about the equality of these points. This leads tointricate proofs in Coq. Therefore, in the rest of this paper, we shall neverconsider the real set theoretical intersection but a lower approximation of theintersection (noted ⊓).

Definition 1 (Literal intersection). Let L1 and L2 be two sets of points.By definition L1 ⊓ L2 is the intersection of the two sets of points consideredsyntactically.

Using literal intersection we can derive a more convenient version of axiomR3 which leads to fewer case distinctions:

Lemma 4 (R3-lit).

∀X Y, rk(X ∪ Y ) + rk(X ⊓ Y ) ≤ rk(X) + rk(Y )

In Coq, it is not possible to define the literal intersection. To capture thisproperty, we use the following lemma:

Lemma 5 (R3-alt).

∀X Y I, I ⊆ X ∩ Y ⇒ rk(X ∪ Y ) + rk(I) ≤ rk(X) + rk(Y )

This lemma will be used heavily in the next sections.

5.1.1. A rank-based axiom system

Contrary to the axiom system shown in section 2.2, we assume that wehave only one kind of objects, namely points. To capture the whole projectivespace, we need to add some new axioms to the matroid’s ones:

Rk-Singleton ∀P : Point, rk{P} ≥ 1

Rk-Couple ∀P Q : Point, P 6= Q ⇒ rk{P, Q} ≥ 2

Rk-Pasch ∀A B C D, rk{A, B, C, D} ≤ 3 ⇒∃J, rk{A, B, J} = rk{C, D, J} = 2

Rk-Three-Points ∀A B, ∃C, rk{A, B, C} = rk{B, C} = rk{A, C} = 2

22

Page 24: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Rk-Lower-Dimension ∃A B C D, rk{A, B, C, D} ≥ 4

The first two ones ensure that the rank function is not degenerate. Rk-Pasch is the translation of Pasch’s axiom: rk{A, B, C, D} ≤ 3 means thesepoints are coplanar, thus that the two lines AB and CD intersect.

Using this axiom system we formally proved all the axioms of section 2.2.In particular, the following lemmas Rk-Uniqueness and Rk-Lower-Dimensionare derivable and can be used to prove the Uniqueness and Lower-Dimension-3 axiom respectively:

Lemma 6 (Rk-Uniqueness).

∀A B C D M P,

rk{A, B} = 2rk{C, D} = 2

rk{A, B, M} ≤ 2rk{C, D, M} ≤ 2rk{A, B, P} ≤ 2rk{C, D, P} ≤ 2

rk{A, B, C, D} ≥ 3

⇒ rk{M, P} = 1

Proof. Using R3-alt we have:

rk{A, B, M, P} + rk{A, B} ≤ rk{A, B, M} + rk{A, B, P}

Hence rk{A, B, M, P} = 2, similarly we can show that rk{C, D, M, P} = 2.Moreover rk{A, B, C, D, M, P} ≥ 3 as rk{A, B, C, D} ≥ 3 and {A, B, C, D} ⊆{A, B, C, D, M, P}. Finally, using R3-alt we have:

rk{A, B, C, D, M, P} + rk{M, P} ≤ rk{A, B, M, P} + rk{C, D, M, P}3 + rk{M, P} ≤ 2 + 2

Lemma 7 (Rk-Lower-Dimension).

∃ABCD, ∀M, rk{A, B, M} 6= 2 ∨ rk{C, D, M} 6= 2

Proof. Using axiom Rk-Lower-Dimension, we obtain A,B,C and D suchthat rk{A, B, C, D} = 4.Suppose that rk{A, B, M} = 2 and rk{C, D, M} = 2.Using R3-alt we have that:

rk{A, B, C, D, M} + rk{M} ≤ rk{A, B, M} + rk{C, D, M}

Hence rk{A, B, C, D, M} ≤ 3, which contradicts rk{A, B, C, D} = 4.

23

Page 25: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

We can also derive a lemma which expresses concisely that for every pointthere exists one which is different, for every line there exists a point not onthis line and for every plane there exists a point not on this plane.

We carried out this proof using an alternative axiom system for ranks.Whereas our development is based on matroid axioms R1, R2 and R3, onecan prove that they are equivalent to the following set of axioms:

R1’ rk(∅) = 0

R2’ rk(X) ≤ rk(X ∪ {x}) ≤ rk(X) + 1

R3’ rk(X ∪ {y}) = rk(X ∪ {z}) = rk(X) ⇒ rk(X) = rk(X ∪ {y, z})

Using this axiom system the proof is straightforward.

Lemma 8 (Construction).

∀E, rk(E) ≤ 3 ⇒ ∃P, rk(E ∪ {P}) = rk(E) + 1

Proof. Consider E such that rk(E) ≤ 3.Using axiom Rk-Lower-Dimension we obtain A,B,C and D such thatrk{A, B, C, D} = 4. Using R2’ we know that rk(E) ≤ rk(E ∪ {A}) ≤rk(E) + 1 and similarly for B,C and D. Suppose that rk(E ∪ {A}) =rk(E ∪ {B}) = rk(E ∪ {C}) = rk(E ∪ {D}) = rk(E), then we would obtainrk(E ∪ {A, B, C, D}) = rk(E) by repeated applications of R3’. This is incontradiction with rk{A, B, C, D} = 4 since rk(E) ≤ 3. Hence there existsa P such that rk(E ∪ {P}) = rk(E) + 1.

Overall, this axiom system is convenient because: first it only deals withpoints and hence the theory is dimension-independent (i.e. it can be scaled toany dimension without modifying the language of the theory), second ranksallow to summarize both positive and negative assumptions about sets ofpoints homogeneously.

5.1.2. Implementation in Coq

The formalization in Coq of our axiom system is quite straightforward3.To increase reusability of the proofs, we define it as a module type of Coq’smodule system (see Figure 9). This module depends on DecPoints whichdefines the type of points with a decidable equality.

3For lack of space, some technical details are omitted here.

24

Page 26: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Module Type RankProjectiveSpace (DecPoints:DecidableType).

Module Export FiniteSetsDefs := BuildFSets DecPoints.

Definition set_of_points := t.

Definition Point := DecPoints.t.

Parameter rk : set_of_points -> nat.

Axiom matroid1_a : forall X, rk X >= 0.

Axiom matroid1_b : forall X, rk X <= cardinal X.

Axiom matroid2: forall X Y, Subset X Y -> rk X <= rk Y.

Axiom matroid3: forall X Y,

rk(union X Y) + rk(inter X Y) <= rk X + rk Y.

Axiom rk_singleton_ge : forall P, rk (singleton P) >= 1.

Axiom rk_couple_ge : forall P Q,

~ DecPoints.eq P Q -> rk(couple P Q) >= 2.

Axiom pasch : forall A B C D, rk (quadruple A B C D) <= 3 ->

exists J, rk (triple A B J) = 2 /\ rk (triple C D J) = 2.

Axiom three_points : forall A B, exists C,

rk (triple A B C) = 2 /\

rk (couple B C) = 2 /\ rk (couple A C) = 2.

Parameter P0 P1 P2 P3 : Point.

Axiom lower_dim : rk (quadruple P0 P1 P2 P3) >= 4.

End RankProjectiveSpace.

Figure 9: Definition of projective space geometry with ranks in Coq

On the technical side, defining our axiom system based on ranks requiresa formal description of the concept of sets of points. As our developmentmanipulates only finite sets, we use the development FSets of Filliatre andLetouzey [11]. Since the provided set equality ( =set ) differs from standard(Leibniz) Coq equality, we have to prove that rk is a morphism with respectto set equality:

Lemma 9. ∀X Y, X =set Y ⇒ rk(X) = rk(Y )

Proof. By double inclusion using axiom R2.

25

Page 27: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Using this lemma, we can then define rk as a morphism in Coq with respectto =set . This allows to easily replace a set by an equal one when it occursas an argument of rk.

5.2. Desargues Theorem

In this section we describe the proof of Desargues theorem. The idea ofthe proof is classic: we first prove a version of the theorem where the twotriangles are not coplanar, we call it Desargues 3D (see section 5.2.1) andthen we deduce from it a version where A, B, C, A′, B′ and C ′ lie on a sameplane (Desargues 2D) as shown on Figure 10.

As we will see in the next section, using the concept of rank the proof ofthe 3D version is straightforward and special cases can be handled smoothly.In section 5.2.2, we will show how we actually build the 2D version andconclude the proof of the original theorem.

5.2.1. A 3D version of Desargues theorem

In this section, we prove Desargues 3D theorem.

Theorem 1 (Desargues 3D). Let’s consider two (non-degenerate) trian-gles ABC and abc such that they are perspective from a given point O:

rk{A, B, C} = rk{a, b, c} = 3rk{a, A, O} = rk{b, B, O} = rk{c, C, O} = 2

We assume this forms a non planar figure:

rk{A, B, C, a, b, c} ≥ 4

and define three points α, β, γ such that:

rk{A, B, γ} = rk{a, b, γ} = 2rk{A, C, β} = rk{a, c, β} = 2rk{B, C, α} = rk{b, c, α} = 2

Under these assumptions, rk{α, β, γ} ≤ 2 holds.

Lemma 10. rk{A, B, C, α} = 3

Proof. By assumption rk{A, B, C} = 3, hence using axiom R2, rk{A, B, C, α} ≥3. Moreover using R3-alt we have:

26

Page 28: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

rk{A, B, C, α} + rk{B, C} ≤ rk{A, B, C} + rk{α, B, C}rk{A, B, C, α} + 2 ≤ 3 + 2

Hence, we can conclude that rk{A, B, C, α} = 3. Similar proofs can be donewith β and γ.

Lemma 11. rk{A, B, C, α, β} = 3

Proof. First, using axiom R2 and lemma 10 we have rk{A, B, C, α, β} ≥ 3.Second, using R3-alt we have:

rk{A, B, C, α, β} + rk{A, B, C} ≤ rk{A, B, C, α} + rk{A, B, C, β}rk{A, B, C, α, β} + 3 ≤ 3 + 3

Hence, we can conclude that rk{A, B, C, α, β} = 3.

Lemma 12. rk{A, B, C, α, β, γ} = rk{a, b, c, α, β, γ} = 3

Proof. The proof is similar to lemma 11.

Lemma 13. rk{A, B, C, a, b, c, α, β, γ} ≥ 4

Proof. By assumption rk{A, B, C, a, b, c} ≥ 4, hence using axiom R2,rk{A, B, C, a, b, c, α, β, γ} ≥ 4.

Using these lemmas we can conclude the proof:From R3-alt we know that:rk{A, B, C, a, b, c, α, β, γ} + rk{α, β, γ}

≤ rk{A, B, C, α, β, γ} + rk{a, b, c, α, β, γ}Hence, using lemmas 12 and 13 rk{α, β, γ} ≤ 2 holds.

5.2.2. Lifting from 2D to 3D

In this section, we prove the 2D version of Desargues using the 3D version.

27

Page 29: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Statement. Most assumptions are the same as in the 3D version. Let’s con-sider two triangles ABC and A′B′C ′ such that they are perspective from agiven point O:

rk{A, B, C} = rk{A′, B′, C ′} = 3rk{A′, A, O} = rk{B′, B, O} = rk{C ′, C, O} = 2

We define three points α, β, γ such that:

rk{A, B, γ} = rk{A′, B′, γ} = 2rk{A, C, β} = rk{A′, C ′, β} = 2rk{B, C, α} = rk{B′, C ′, α} = 2

Contrary to the 3D case, we assume this forms a planar figure:

rk{A, B, C, A′, B′, C ′, O} = 3

In addition to these assumptions which are closely related to those of Desar-gues 3D theorem, the following non-degeneracy conditions are required:

rk{A, B, O} = rk{A, C, O} = rk{B, C, O} = 3rk{A, A′} = rk{B, B′} = rk{C, C ′} = 2

Desargues theorem states that, under these assumptions, rk{α, β, γ} ≤ 2holds.

Informal Proof. We have to lift triangle A′B′C ′ into a new triangle abc whichis not coplanar with triangle ABC in order to have a configuration of pointsin which Desargues 3D theorem can be applied. The construction is shownin Figure 10. Here are the main steps: we first construct a point P which liesoutside the plane formed by A, B, C, A′, B′, C ′ and O. We know such a pointP exists thanks to lemma 8. We then build a line incident to P and O (thepoint from which triangles ABC and A′B′C ′ are perspective) and considera third point o on this line (axiom Rk-Three-Points ensures such a pointexists and is different from both O and P ). We construct a new point aas the intersection of lines PA′ and oA. We know these two lines intersectbecause of Pasch’s axiom and the fact that lines AA′ and Po intersect inO. We do the same to construct points b and c. Applying Desargues 3Dtheorem to ABC and abc requires to make sure we have a non-degenerate3D figure and that abc is a non-degenerate triangle. We also have to make

28

Page 30: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

bA

b

B

b

C

b O

b

C’

b

A’

b

B’

bP

bo

b c

ba b b

b

b

b

β

γ

α

Figure 10: Desargues theorem (3D extrusion) A,B,C,A′,B′,C′,O,α,β and γ are co-planar.If P is the sun, triangle abc then casts its shadow in A′B′C′.

sure α defined as the intersection of lines BC and B′C ′ is the same as theα of Desargues 3D theorem which is the intersection of BC and bc. Thisrequirement can be satisfied by simply proving that α is incident to bc. Thesame requirement applies for β and γ. Overall, we have to prove the followingstatements which are requirements to apply Desargues 3D version (proofs aregiven below). Note that when applying the theorem, the point o plays therole of point O.

rk{A, B, C} = rk{a, b, c} = 3rk{A, B, C, a, b, c} ≥ 4

rk{a, b, γ} = rk{a, c, β} = rk{b, c, α} = 2rk{A, B, γ} = rk{A, C, β} = rk{B, C, α} = 2

Statements rk{A, B, γ} = rk{A, C, β} = rk{B, C, α} = 2 and rk{A, B, C} =3 are assumptions of the Desargues 2D theorem, therefore their proofs areimmediate.

Preliminary Lemmas. We remind the reader that the points A, B, C, A′, B′, C ′

and O lie in the same plane. P is a point outside this plane. o is a third pointon the line OP . The point a is defined as the intersection of lines PA′ andoA. Points b and c are defined in a similar way. In this setting, the followinglemmas hold:

29

Page 31: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Lemma 14. rk{A′,B′,O}=rk{A′,C ′,O}=rk{B′,C ′,O}=3

Lemma 15. rk{A′, B′, O, P} = rk{A′, B′, O, o} = 4

Lemma 16. rk{A, B, O, a} ≥ 4 rk{A, A′, C, a} ≥ 4

Lemma 17. rk{A, B, O, b} ≥ 4 rk{A, B, O, c} ≥ 4

Lemma 18. rk{o, a} = rk{o, b} = rk{o, c} = 2

Lemma 19. rk{a, c, A, C, β} = rk{a, c, A′, C ′, β} = 3

Proof.

rk{A, C, a, c} + rk{A, C, β} ≥ rk{A, C} + rk{A, C, a, c, β}3 + 2 ≥ 2 + rk{A, C, a, c, β}

Hence rk{A, C, a, c, β} ≤ 3. More as rk{A, C, a, c} = 3, we conclude thatrk{A, C, a, c, β} = 3.

General Lemmas. Most proofs are fairly technical, simply using the matroidaxioms of rank. However, some lemmas can be highlighted, especially fortheir genericity and their pervasive use throughout the proofs. Among them,some stability lemmas state that one of the points of a set characterizing aflat (e.g a plane or the whole space) can be replaced by another one belongingto this flat.

Lemma 20 (Plane representation change).

rk{A, B, C} = 3rk{A, B, C, M} = 3rk{B, C, M} = 3

rk{A, B, C, P} = 4

⇒ rk{M, B, C, P} = 4

This lemma is heavily used to prove all possible statements expressingthat P lies outside the plane formed by A, B, C, A′, B′, C ′, O.

Other lemmas about coplanarity and also upper bound on ranks whenmerging a plane and a line are convenient as well. They could form the basisof an automation procedure when doing computer-checked formal proofs.

30

Page 32: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

Proving Desargues 3D assumptions.

Lemma 21. rk{A, B, C, a, b, c} ≥ 4

Proof. By lemma 17, we have rk{A, B, O, b} >= 4, hence rk{A, B, C, O, b} ≥4. Using axiom R3-alt, we have:

rk{A, B, C, b} + rk{A, B, C, O} ≥ rk{A, B, C, O, b} + rk{A, B, C}rk{A, B, C, b} + 3 ≥ 4 + 3

Consequently we have rk{A, B, C, b} ≥ 4 and applying axiom R2 twice, itleads to rk{A, B, C, a, b, c} ≥ 4.

Lemma 22. rk{a, b, c} = 3

Proof. By axiom R1 we have rk{a, b, c} ≤ 3.Let’s prove rk{a, b, c} ≥ 3. By axiom R3-alt, we have:

rk{a, b, c, o, A, B} + rk{o, C, c} ≥ rk{A, B, C, o, a, b, c} + rk{o, c}rk{a, b, c, o, A, B} + 2 ≥ 4 + 2

Hence rk{a, b, c, o, A, B} ≥ 4. Again, using axiom R3-alt we have:

rk{a, b, c, o, A} + rk{o, B, b} ≥ rk{a, b, c, o, A, B} + rk{o, b}rk{a, b, c, o, A} + 2 ≥ 4 + 2

Hence rk{a, b, c, o, A} ≥ 4. Applying axiom R3-alt one last time yields:

rk{a, b, c} + rk{o, A, a} ≥ rk{a, b, c, o, A} + rk{a}rk{a, b, c} + 2 ≥ 4 + 1

Hence rk{a, b, c} ≥ 3. Note that this proof relies on the facts that rk{o, b} =2 and rk{o, c} = 2 which are proved as lemma 18.

Lemma 23. rk{a, b, γ} = rk{a, c, β} = rk{b, c, α} = 2

Proof. Using axiom R3-alt, we have:rk{a, c, A, C, β} + rk{a, c, A′, C ′, β} ≥ rk{a, c, A, C, A′, C ′, β} + rk{a, c, β}We have rk{a, c, A, C, A′, C ′, β} ≥ 4 using axiom R2 and lemma 16. Usinglemma 19, we obtain rk{a, c, β} ≤ 2. As rk{a, c} = 2 (because rk{a, b, c} =3), we conclude rk{a, c, β} = 2. Proofs for α and γ are the same.

31

Page 33: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

5.3. Formalization in Coq

Formalizing Desargues theorem in Coq is straightforward once we havethe axiom system dealing with ranks and proof techniques to handle themnicely. All the above-mentionned lemmas are easily proved and then Desar-gues theorem can be stated as follows:

forall A’ B’ C’ A B C O : Point,

rk(triple A B C)=3 -> rk(triple A’ B’ C’)=3 ->

rk(triple A B O)=3 -> rk(triple A C O )=3 ->

rk(triple B C O)=3 ->

rk(triple A A’ O)=2->rk(triple B B’ O)=2->rk(triple C C’ O)=2->

rk(couple A A’)=2 -> rk(couple B B’)=2 -> rk(couple C C’)=2 ->

rk(triple A B gamma)=2 -> rk(triple A’ B’ gamma)=2 ->

rk(triple A C beta)=2 ->

rk(triple A’ C’ beta) =2 -> rk(triple B C alpha) =2 ->

rk(triple B’ C’ alpha) =2 ->

rk(triple alpha beta gamma) <= 2.

This proof in Coq proceeds exactly the same way as the proof presentedin the previous section. It is simply a bit more technical and requires alot of computation to decide equality between sets which are equal but notsyntactically equal.

6. Conclusions

We described axiom systems for both projective plane geometry and pro-jective space geometry in Coq. We then formally proved that Desarguesproperty can not be proved in the projective plane but it holds in Fano’splane and pappusian planes. Finally we proved Desargues theorem in the≥3-dimensional projective space.

Proofs in the plane were performed in a traditional setting using pointsand lines. In the projective space, we proposed a new way to express nicelyincidence relations thanks to ranks. We designed an axiom system to captureprojective geometry using ranks. We also presented some proof engineeringtechniques that allow having proofs of reasonable size.

Overall, the proofs consist in more than 10000 lines with about 280 lem-mas and their formal proofs4 organized as shown in the figures below.

4The full Coq development is available in the user contributions of Coq.

32

Page 34: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

2D 3D Totallines of Coq specs 1800 1800 3600lines of Coq proofs 4600 5800 10400

Future work includes further formalization of hexamys in Coq. We expectto formalize all the properties enumerated and proved by Pouzergues in [25].Regarding ≥3-dimensional space, we plan to study how ranks can be used toautomatically derive incidence properties. We believe that the genericity ofthe notation will help the automation process. Geometric algebra can alsobe an alternative mean to handle projective geometry nicely [10].

References

[1] Y. Bertot and P. Casteran. Interactive Theorem Proving and Pro-gram Development, Coq’Art: The Calculus of Inductive Constructions.Springer, 2004.

[2] M. Bezem and D. Hendriks. On the Mechanization of the Proof ofHessenberg’s Theorem in Coherent Logic. J. of Automated Reasoning,40(1):61–85, 2008.

[3] J. Brandt and K. Schneider. Using three-valued logic to specify andverify algorithms of computational geometry. In ICFEM, volume 3785of LNCS, pages 405–420. Springer-Verlag, 2005.

[4] F. Buekenhout, editor. Handbook of Incidence Geometry. North Holland,1995.

[5] C. Cerroni. Non-Desarguian Geometries and the foundations of Ge-ometry from David Hilbert to Ruth Moufang. Historia Mathematica,31(3):320–336, 2004.

[6] S.-C. Chou, X.-S. Gao, and J.-Z. Zhang. Machine Proofs in Geometry.World Scientific, 1994.

[7] Coq development team. The Coq Proof Assistant Reference Manual,Version 8.3. TypiCal Project, 2010.

[8] H. S. M. Coxeter. Projective Geometry. Springer, 1987.

33

Page 35: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

[9] C. Dehlinger, J.-F. Dufourd, and P. Schreck. Higher-Order Intuition-istic Formalization and Proofs in Hilbert’s Elementary Geometry. InADG’00, volume 2061 of LNAI, pages 306–324. Springer-Verlag, 2000.

[10] L. Dorst, D. Fontijne, and S. Mann. Geometric Algebra for ComputerScience. Elsevier, 2007.

[11] J.-C. Filliatre and P. Letouzey. Functors for Proofs and Programs.In ESOP’2004, volume 2986 of LNCS, pages 370–384. Springer-Verlag,2004.

[12] B. Gregoire, L. Pottier, and L. Thery. Proof Certificates for Algebra andtheir Application to Automatic Geometry Theorem Proving. Submittedfor publication in LNAI as the post-proceedings of ADG’08, 2009.

[13] F. Guilhot. Formalisation en Coq et visualisation d’un cours degeometrie pour le lycee. TSI, 24:1113–1138, 2005. In french.

[14] C. M. Hoffmann and R. Joan-Arinyo. Handbook of Computer Aided Ge-ometric Design, chapter Parametric Modeling, pages 519–541. Elsevier,2002.

[15] P. Janicic, J. Narboux, and P. Quaresma. The area method : a recapit-ulation. submitted, october 2009.

[16] C. Jermann, G. Trombettoni, B. Neveu, and P. Mathis. Decompositionof geometric constraint systems: a survey. International J. of Compu-tational Geometry and Application, 16(5-6):379–414, 2006.

[17] E. Kusak. Desargues theorem in projective 3-space. J. of FormalizedMathematics, 2, 1990.

[18] N. Magaud, J. Narboux, and P. Schreck. Formalizing Projective PlaneGeometry in Coq. Submitted for publication in LNAI as the post-proceedings of ADG’08, September 2008.

[19] L. Meikle and J. Fleuriot. Formalizing Hilbert’s Grundlagen in Is-abelle/Isar. In TPHOLs’03, volume 2758 of LNCS, pages 319–334, 2003.

[20] D. Michelucci, S. Foufou, L. Lamarque, and P. Schreck. Geometricconstraints solving: some tracks. In SPM ’06, pages 185–196. ACMPress, 2006.

34

Page 36: A Case Study in Formalizing Projective Geometry in …...A Case Study in Formalizing Projective Geometry in Coq: Desargues Theorem∗ Nicolas Magaud, Julien Narboux, Pascal Schreck

[21] D. Michelucci and P. Schreck. Incidence Constraints: a CombinatorialApproach. International J. of Computational Geometry and Application,16(5-6):443–460, 2006.

[22] F. R. Moulton. A Simple Non-Desarguesian Plane Geometry. Transac-tions of the American Mathematical Society, (3):192–195, 1902.

[23] J. Narboux. A decision procedure for geometry in Coq. In TPHOLs’04,volume 3223 of LNCS, pages 225–240. Springer-Verlag, 2004.

[24] J. Narboux. Mechanical theorem proving in Tarski’s geometry. InADG’06, volume 4869 of LNAI, pages 139–156. Springer-Verlag, 2007.

[25] R. Pouzergues. Les hexamys. Technical report, IREM Nice, 1993.http://hexamys.free.fr.

35